At Christmas this year security researcher Eloi Vanderbeken of Synacktiv Digital Security discovered that a number of popular routers, including models made by Netgear, Cisco (including Linksys) and Diamond contained a backdoor known as TCP-32764.
Find out more about DD-WRT here:
The backdoor listened in on port 32764 of DSL routers (i.e. those designed for ADSL broadband) whose firmware is based on technology from the Taiwanese manufacturer Sercomm. Now this might sound bad, but things get even worse.
Following the discovery a security patch was issued, but over Easter (funny how this story is so seasonal!) Vanderbeken discovered that the ‘patch’ bid not in fact fix the backdoor, but merely hid it, and port 32764 could still be used by anyone with the secret ‘knock’ codes to access the router undetected.
The newly discovered backdoor uses the same code that was used to provide administrative access over the concealed port the first time around, and left Vanderbeken in no doubt that it could be a mistake. ‘It’s DELIBERATE’ says Vanderbeken in his PowerPoint presentation.
Once activated, the backdoor listens in on TCP/IP traffic, giving ‘root shell’ access. This allows anyone to send commands to the router, including getting a ‘dump’ of its entire configuration, and allowing a remote user to access features of the hardware such as blinking the router’s lights.
24 routers with the backdoor (old and new) are currently known about, but it is unknown how far the problem has spread. No patch is currently available (and would you trust it if there was?), and Sercomm has so far refused to comment.
The best defence against not just this particular piece of malicious programming, but against any manufacturer introduced backdoor is to use a router flashed with DD-WRT (or Tomato). DD-WRT is open source firmware that can be ‘flashed’ onto routers, replacing the original, and often providing a great deal of additional functionality, such as including a VPN client, acting as a server for NAS storage or a network printer, or as a repeater for extending the range of your WiFi.
Perhaps the biggest advantage however is that because DD-WRT is a community developed open source project, its code can be independently audited, and is therefore very unlikely to contain a backdoor of the type discovered by Vanderbeken.
A full list of DD-WRT compatible models is available from the official DD-WRT website, complete with instructions on how to flash them yourself. This is however a rather complex task that can potentially ‘brick’ a router, so for an easy life you may prefer buy one ‘pre-flashed’.
If you are interested in going down this route then we have reviewed two of the most popular pre-flashed routers (representing opposite ends of the price spectrum), the Linksys N300v2, and the Asus RT-AC66U.